From 3cdec6454fb86e8d03a06944c0c68025733ed93f Mon Sep 17 00:00:00 2001
From: Shai Berger <shai@platonix.com>
Date: Tue, 28 Apr 2026 11:59:06 +0300
Subject: [6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload
 permissions.

Backport of 604695cddb41981b84a8d976d1f4c74c39e112b0 from main.
---
 docs/ref/settings.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 3d0761dfc6..87f89b1abb 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1641,6 +1641,12 @@ when using the :djadmin:`collectstatic` management command. See
     modes must be specified. If you try to use ``644``, you'll get totally
     incorrect behavior.
 
+.. admonition:: A numeric value trumps umask
+
+    When this setting has a numeric value (one you've set yourself, or the
+    default ``0o644``), this value will be used as is, and a umask will not
+    be applied to it. The umask will apply only if this setting is ``None``.
+
 .. setting:: FILE_UPLOAD_TEMP_DIR
 
 ``FILE_UPLOAD_TEMP_DIR``
-- 
cgit v1.3